All Hail The Ambulance Chasers of Security

Wikipedia defines “ambulance chasing” as follows: “Ambulance chasing, sometimes known as barratry, is a professional slur which refers to a lawyer soliciting for clients at a disaster site. The term ‘ambulance chasing’ comes from the stereotype of lawyers that follow ambulances to the emergency room to find clients. The phrase ambulance chaser is also used more loosely as a derogatory term for a personal injury lawyer.”

Unfortunately, it seems to me that we in the security field suffer from a bit of an ambulance chasing problem. Of course, it is not personal injury lawyers I am referring to here, but rather, something else entirely.

From time to time in security, we experience certain high profile incidents. A big breach. A vendor slip-up. A serious vulnerability. A noteworthy attack. This is the ebb and flow of life in the security profession. In and of itself, the fact that these attention-grabbing events happen from time to time isn’t particularly shocking.

What is somewhat alarming, however, is the way in which the community typically reacts. Of course, the practitioners - those toiling day in and day out to defend and protect their organizations, don’t have much of a choice in how they react. They will have enquiries from management, conference calls, investigation, response, and a host of other activities to take care of.

But let’s take a look at how those in the security community who do have a choice in how to respond typically do so. In particular, let’s pay close attention to how those who have either an ability or an obligation to be seen as leaders typically respond.

To the disappointment of many in the security community, there are typically two responses, neither of which is particularly appropriate or helpful:

1. Mocking

2. Ambulance chasing

I’ve previously discussed the issues around mocking and how it is detrimental to and impedes our entire profession. I won’t rehash those points in this piece.

Instead, in this piece, I will delve into the topic of ambulance chasing, and how it also does a tremendous disservice to our security community as a whole. As I’m sure you’ve noticed, after every notable breach, slip-up, vulnerability, and attack, out come the ambulance chasers. There are essentially three main forms of ambulance chasing that I see:

● Vendors that pitch the message that “our product is 100% effective against <item du jour>”.

● Enterprises that run with the message “we take security so much more seriously than our competitor as evidenced by <item du jour>”.

We’ve all seen this type of behavior rampantly, unfortunately. But have we thought about how it harms our industry? Let’s take a look at a few of the ways in which this behavior is harmful:

Vendor Fatigue

If you haven’t already heard the term “vendor fatigue”, you will likely come across it soon. Simply put, there are nearly 2,000 vendors in the security space spanning upwards of 50 distinct markets. Besides overlap in functionality, many vendors have nearly identical messaging. So, if you think about it from the perspective of a security leader on the buying side, you quickly see that the onslaught of vendors is exhausting. It’s difficult to keep up with the sheer volume of pitches coming at you. At some point, it all begins to blend together. Ambulance chasing merely worsens vendor fatigue, making it that much harder for a vendor that has a real solution to one of an organization’s problems to get any mindshare.

Market Confusion

As I mentioned above, there are nearly 2,000 security vendors in the security space spread across upwards of 50 markets. Even the most seasoned security practitioners have trouble keeping up with the security market. It’s hard to know what’s really what sometimes, and which vendors can solve which problems. All that market confusion makes it difficult for buyers to really hone in on the solutions they are looking for, and also makes it difficult for vendors to articulate the value they’re providing and which problems they’re solving. What effect does ambulance chasing have here? If you employ it as a marketing technique, it might get you labeled as <item du jour> vendor. But are you sure that’s what you really want? Keep in mind that the <item du jour> changes regularly, and that market confusion makes it difficult to change perceptions. Need an example? When was the last time you were in the market for an “anti-APT” solution?

Adrift in a Sea of Hype and Buzz

The state of the security market has more or less caused most security professionals to consider any security marketing pure hype and buzz. Of course, that’s not actually the case -- there are some very good vendor products and services out there that address some important challenges. But ambulance chasing is one of the reasons that we find ourselves in this frame of mind. Ambulance chasing is definitely making life a lot harder for those who have something substantive to contribute to the discussion.

If you’re in security marketing, I hope that this piece will give you something to take home with you. The hype and buzz of ambulance chasing may bring you short term attention, leads, and a PR boost. But ambulance chasing seldom results in conversion to real revenue. The people who are drawn to ambulance chasing are not necessarily the same people who make calculated and strategic security buying decisions. In fact, all ambulance chasing really accomplishes is inflicting pain on those serious security professionals that have to deal with its after effects. I encourage you to think long and hard before resorting to ambulance chasing. It’s for your own good, and for the good of the rest of us as well.

Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.